Login package provides comprehensive login authentication logic and related UI interfaces. It is designed to simplify the process of adding user authentication to QOR5-based backend development project.
In QOR5 admin development, we recommend using github.com/qor5/admin/login, which wraps github.com/qor5/x/login to keep the theme of login UI consistent with Presets and provide more powerful features.

Basic Usage

The example shows how to enable both username/password login and OAuth login.

Username/Password Login

To enable Username/Password login, the UserModel needs to implement the UserPasser interface. There is a default implementation - UserPass.

Change Password

There are three ways to change the password:

1. Visit the default change password page.

2. Call the OpenChangePasswordDialogEvent event to change it in dialog.

3. Change the password directly in Editing.


By default, it allows 5 login attempts with incorrect credentials, and if the limit is exceeded, the user will be locked for 1 hour. This helps to prevent brute-force attacks on the login system. You can call MaxRetryCount to set the maximum retry count. If you set MaxRetryCount to a value less than or equal to 0, it means there is no limit of login attempts, and the user will not be locked after a certain number of failed login attempts.


There is TOTP (Time-based One-time Password) functionality out of the box, which is enabled by default.

Google reCAPTCHA

Google reCAPTCHA is disabled by default.

OAuth Login

OAuth login is based on goth.
OAuth login does not require a UserModel. If there is a UserModel, it needs to implement the OAuthUser interface. There is a default implementation - OAuthInfo.

Session Secure

The SessionSecurer provides a way to manage unique salt for a user record. There is a default implementation - SessionSecure.

SessionSecurer helps to ensure user security even in the event of secret leakage. When a user logs in, SessionSecurer generates a random salt and associates it with the user's record. This salt is then used to sign the user's session token. When the user makes requests to the server, the server verifies that the session token has been signed with the correct salt. If the salt has been changed, the session token is considered invalid and the user is logged out.


Hooks are functions that are called before or after certain events.
The following hooks are available:


Extra Values

  • password

This hook is called before resetting or changing a password. The hook can be used to validate password formats.


This hook is called after a successful login.


Extra Values

  • login error

This hook is called after a failed login. Note that the user parameter may be nil.


This hook is called after a user is locked.


This hook is called after a logout.


Extra Values

  • reset link

This hook is called after confirming the sending of a password reset link. This is where the code to send the reset link to the user should be written.


This hook is called after a password is reset.


This hook is called after a password is changed.


Extra Values

  • old session token

This hook is called after a session is extended.


This hook is called after a TOTP code has been reused.


This hook is called after an OAuth authentication is completed.

Customize Pages

To customize pages, there are two ways:

1. Each page has a corresponding xxxPageFunc to rewrite the page content. You can easily customize a page by copying the default page func and modifying it according to your needs.

2. Only mount the API and serve the login pages manually.
When you want to embed the login form into an existing page, this way can be very useful.